I am trying to configure OIDC integration with elasticsearch and kibana.

For development, I am using my own IdP based on KeyCloak. Everything works fine. Roles are read out of the JWT Token if I configure KeyCloak to add the roles information to the Identity Token (as described in https://search-guard.com/kibana-openid-keycloak/ )

In my production environment - using a corporate IdP based on Ping Identity - the IdP does not include the roles information to the identity token. I can access the user name based on the “sub” field in the token. But to access the roles information, it is necessary to query the OIDC userinfo endpoint.